Vulnerability Database

308,918

Total vulnerabilities in the database

CVE-2018-15891

An issue was discovered in FreePBX core before 3.0.122.43, 14.0.18.34, and 5.0.1beta4. By crafting a request for adding Asterisk modules, an attacker is able to store JavaScript commands in a module name.

Published: Jun 20, 2019
Updated: Nov 9, 2025
CVE: CVE-2018-15891
Severity: Low
Exploit:

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
freepbx / freepbx	15.0.1	15.0.1.x
sangoma / freepbx	-	13.0.122.43
sangoma / freepbx	14.0.0	14.0.18.34
sangoma / freepbx	15.0.1-beta4	15.0.1-beta4.x
sangoma / freepbx	15.0.0	15.0.1.x

https://wiki.freepbx.org/display/FOP/2018-09-11+Core+Stored+XSS?src=contextnavpagetreemode
https://www.freepbx.org/

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo